CVE-2025-1691

HIGH Year: 2025
CVSS v3 Score
7.6
High
Weakness Type
CWE-74
View all →

Vulnerability Description

The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the autocompletion feature to input and run obfuscated malicious text. This requires user interaction in the form of the user using ‘tab’ to autocomplete text that is a prefix of the attacker’s prepared autocompletion. This issue affects mongosh versions prior to 2.3.9. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

Related Vulnerabilities

CVE-2020-7749

HIGH
CVSS:7.6(High)

This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject...

CWE-742020

CVE-2023-4818

HIGH
CVSS:7.6(High)

PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. The attacker must have physical USB ...

CWE-742023

CVE-2010-3668

HIGH
CVSS:7.5(High)

TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4 and 4.4.x before 4.4.1 allows Header Injection in the secure download feature jumpurl.

CWE-742010

CVE-2015-3200

HIGH
CVSS:7.5(High)

mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NU...

CWE-742015

CVE-2015-8258

HIGH
CVSS:7.5(High)

AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."

CWE-742015